[tor-bugs] #29207 [Circumvention/Snowflake]: New design for broker -- proxy protocol for snowflakes

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 29 14:54:43 UTC 2019


#29207: New design for broker -- proxy protocol for snowflakes
-------------------------------------------------+-------------------------
 Reporter:  cohosh                               |          Owner:  cohosh
     Type:  enhancement                          |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Circumvention/Snowflake              |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  snowflake, design, ex-sponsor-19,    |  Actual Points:
  anti-censorship-roadmap                        |
Parent ID:                                       |         Points:  5
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor28-must
-------------------------------------------------+-------------------------

Comment (by cohosh):

 Overall, we want to move to putting all relevant information in the HTTP
 response body and provide `200 OK` responses from the broker for all valid
 interactions. I think it's okay to leave the `400 Bad Request` responses
 alone for requests we catch that definitely deviate from the snowflake
 protocol.

 We want to do this in a backwards compatable way to accomodate proxies
 that have not yet updated. Note that we have control over the broker
 deployment at this time. I propose the following changes:

 ==== Proxy Poll ====
 Updated proxies send

 {{{
 POST [broker URL] HTTP [version]

 {
     version: "1.0",
     sid: [session id]
 }
 }}}
 The broker checks to see if the response body contains a JSON format with
 a version field that specifies version 1.0. If not, revert to old method
 but don't compare the HTTP header with the body (I'm not sure what the
 usefulness of that is).

 The broker then responds with one of two messages:

 - If there are no clients matched the proxy, it sends:
 {{{
  HTTP 200 OK

  {
      status: "no proxies"
  }
 }}}

 For old snowflakes (determined as described above), it sends the old `HTTP
 504 Gateway Timeout` response.

 We might be able to avoid some branching logic and send the new 200
 response to old proxies. I think this is OK to do for backwards
 compatability because the call to `webrtc.Deserialize` will fail and
 [https://github.com/cohosh/snowflake/blob/master/proxy-
 go/snowflake.go#L351 return a null offer] for proxy-go instances and
 browser-based proxies will also
 [https://github.com/cohosh/snowflake/blob/master/proxy/snowflake.js#L112
 fail to received the offer] and continue polling. However, it feels a bit
 risky.

 - If there is a client matched to the proxy, it sends to updated proxies:
 {{{
  HTTP 200 OK
  {
      status: "client match",
      {
          type: offer,
          sdp: [WebRTC SDP]

      }
  }
 }}}
 and the old message to non updated proxies. I'm not sure if the new
 message will work, I have to read more about how the JSON functions in Go
 and node respond to this structure. To receive the offer, the proxy needs
 to be able to find the "type" and "sdp" fields in the JSON object.

 ==== Proxy Answers ====

 Updated proxies send:

 {{{
 POST [broker URL] HTTP[version]

 {
     version: "1.0",
     sid: [session id],
     {
         type: answer,
         sdp: [WebRTC SDP]
     }
 }
 }}}

 The broker then checks the version as above to determine whether it's an
 old or new proxy and uses the provided session ID to match this answer
 with the correct snowflake and provides one of three responses:

 - If the proxy took too long to respond, it sends:
 {{{
  HTTP 200 OK

  {
      status: "client gone"
  }
 }}}
  to updated proxies and `HTTP 410 Gone` to old ones. We ''could'' send the
 new message to old proxies, however old proxies
 [https://github.com/cohosh/snowflake/blob/master/proxy-
 go/snowflake.go#L197 assume the answer was sent to a client] and will wait
 for a data channel to open if they receive a `200 OK` message. We do have
 a timeout built in now since #25688 and #31100 so the token will
 eventually free a slot for more clients.

 - If the body of the POST request was empty or surpassed the read limit,
 it still sends `HTTP 400 Bad Request` to all proxies.

 - If the answer was sent to the client, it sends to all proxies:
 HTTP 200 OK
 {{{
  HTTP 200 OK

  {
      status: "success"
  }
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29207#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list